Security issue when parsing HTML

When running this code, the image onerror handler is run. The onerror attribute is not defined in the schema, so why would this be allowed when parsing with the schema?

import { schema as basicSchema } from 'prosemirror-schema-basic';

const domparser = DOMParser.fromSchema(basicSchema);
const element = document.createElement('div');
element.innerHTML =
    '<div><img  s src c=x on onerror=confirm(document.domain)></div>';
const imageNode = domparser.parse(element, { preserveWhitespace: true });

The handler is run by your code using innerHTML, not by ProseMirror. Look up detached documents for how to do this properly.